Detection of Running Malware Before it Becomes Malicious

Abstract: As more vulnerabilities are being discovered every year[17], malware constantly evolves forcing improvements and updates of security and malware detection mechanisms. Malware is used directly on the attacked systems, thus anti-virus solutions tend to neutralize malware by not letting it launch or even being stored in the system. However, if malware is launched it is important to stop it as soon as the maliciousness of a new process has been detected. Following the results from [8] in this paper we show, that i… Show more

“…During the analysis of findings made in [2] authors found, that most of the memory access patterns they recorded emerged from BEP. These findings lead to another work [3], where authors showed that memory access patterns from BEP can be used to detect malware with an accuracy similar to the one achieved with memory access patterns emerged from after the Entry Point (AEP). In particular, they achieved a classification accuracy of more than 99% when distinguishing between malicious and benign executables with a help of only 9 BEP memory access patterns.…”

“…This section is dedicated to the description of the methods used in this paper. Our choice of methods is based on findings made in [5], [2] and [3]. We begin with the description of our data collection process.…”

“…Our data collection is based on the BEP-AEP approach that was first presented and described in [3] and analysis of memory access patterns first used in [5]. The key concept involves splitting the behavioral trace of the process into two main parts: the one that occurs before the Entry Point (BEP) and after (AEP).…”

“…It has been recently shown, that it is possible to detect Windows malware based on the behavioral traces produced before the Entry Point (BEP) [3]. It is an important finding since malware malware stopped upon detection BEP can not harm the system where it was launched.…”

“…of [3] used k-fold cross-validation to assess the performance of the machine learning model used for malware detection. Such approach has some limitations: for example, the feature selection made on the full dataset may affect the validity of the classification performance results.…”

Detection of Previously Unseen Malware using Memory Access Patterns Recorded Before the Entry Point

“…During the analysis of findings made in [2] authors found, that most of the memory access patterns they recorded emerged from BEP. These findings lead to another work [3], where authors showed that memory access patterns from BEP can be used to detect malware with an accuracy similar to the one achieved with memory access patterns emerged from after the Entry Point (AEP). In particular, they achieved a classification accuracy of more than 99% when distinguishing between malicious and benign executables with a help of only 9 BEP memory access patterns.…”

“…This section is dedicated to the description of the methods used in this paper. Our choice of methods is based on findings made in [5], [2] and [3]. We begin with the description of our data collection process.…”

“…Our data collection is based on the BEP-AEP approach that was first presented and described in [3] and analysis of memory access patterns first used in [5]. The key concept involves splitting the behavioral trace of the process into two main parts: the one that occurs before the Entry Point (BEP) and after (AEP).…”

“…It has been recently shown, that it is possible to detect Windows malware based on the behavioral traces produced before the Entry Point (BEP) [3]. It is an important finding since malware malware stopped upon detection BEP can not harm the system where it was launched.…”

“…of [3] used k-fold cross-validation to assess the performance of the machine learning model used for malware detection. Such approach has some limitations: for example, the feature selection made on the full dataset may affect the validity of the classification performance results.…”

Detection of Previously Unseen Malware using Memory Access Patterns Recorded Before the Entry Point

Fast and Straightforward Feature Selection Method